Malware Analysis Report

2025-04-19 15:56

Sample ID 240522-zv5pcsgf64
Target 2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike
SHA256 f5b891ae8f3281790e3b0090a1194368806795e7040877bc527c75f4e78bb59f
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5b891ae8f3281790e3b0090a1194368806795e7040877bc527c75f4e78bb59f

Threat Level: Known bad

The file 2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

XMRig Miner payload

Detects Reflective DLL injection artifacts

xmrig

Cobaltstrike

Xmrig family

Cobalt Strike reflective loader

UPX dump on OEP (original entry point)

Cobaltstrike family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 21:03

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 21:03

Reported

2024-05-22 21:05

Platform

win7-20240221-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\oOLyCQi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oClRLGC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yJKWIkV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vKxvEGR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hVGPoxi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CWgBBkV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bHkFBHY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rlrcCNs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\npiwHQJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AwVHFPX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dxwneza.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kEUivoc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RdqWwXi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tmdCzJE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tJhAHfZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hahnrgn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iKTzwDD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\JIEOtbi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MNbcIJN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VcYLhtl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uMWjaLQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\rlrcCNs.exe
PID 2000 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\rlrcCNs.exe
PID 2000 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\rlrcCNs.exe
PID 2000 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\npiwHQJ.exe
PID 2000 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\npiwHQJ.exe
PID 2000 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\npiwHQJ.exe
PID 2000 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\AwVHFPX.exe
PID 2000 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\AwVHFPX.exe
PID 2000 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\AwVHFPX.exe
PID 2000 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\oClRLGC.exe
PID 2000 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\oClRLGC.exe
PID 2000 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\oClRLGC.exe
PID 2000 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MNbcIJN.exe
PID 2000 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MNbcIJN.exe
PID 2000 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MNbcIJN.exe
PID 2000 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\yJKWIkV.exe
PID 2000 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\yJKWIkV.exe
PID 2000 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\yJKWIkV.exe
PID 2000 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\tmdCzJE.exe
PID 2000 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\tmdCzJE.exe
PID 2000 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\tmdCzJE.exe
PID 2000 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\tJhAHfZ.exe
PID 2000 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\tJhAHfZ.exe
PID 2000 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\tJhAHfZ.exe
PID 2000 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\hahnrgn.exe
PID 2000 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\hahnrgn.exe
PID 2000 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\hahnrgn.exe
PID 2000 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\dxwneza.exe
PID 2000 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\dxwneza.exe
PID 2000 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\dxwneza.exe
PID 2000 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\kEUivoc.exe
PID 2000 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\kEUivoc.exe
PID 2000 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\kEUivoc.exe
PID 2000 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\VcYLhtl.exe
PID 2000 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\VcYLhtl.exe
PID 2000 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\VcYLhtl.exe
PID 2000 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\uMWjaLQ.exe
PID 2000 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\uMWjaLQ.exe
PID 2000 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\uMWjaLQ.exe
PID 2000 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKTzwDD.exe
PID 2000 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKTzwDD.exe
PID 2000 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKTzwDD.exe
PID 2000 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVGPoxi.exe
PID 2000 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVGPoxi.exe
PID 2000 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVGPoxi.exe
PID 2000 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\CWgBBkV.exe
PID 2000 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\CWgBBkV.exe
PID 2000 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\CWgBBkV.exe
PID 2000 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\JIEOtbi.exe
PID 2000 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\JIEOtbi.exe
PID 2000 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\JIEOtbi.exe
PID 2000 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\bHkFBHY.exe
PID 2000 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\bHkFBHY.exe
PID 2000 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\bHkFBHY.exe
PID 2000 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\vKxvEGR.exe
PID 2000 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\vKxvEGR.exe
PID 2000 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\vKxvEGR.exe
PID 2000 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\oOLyCQi.exe
PID 2000 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\oOLyCQi.exe
PID 2000 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\oOLyCQi.exe
PID 2000 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\RdqWwXi.exe
PID 2000 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\RdqWwXi.exe
PID 2000 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\RdqWwXi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\rlrcCNs.exe

C:\Windows\System\rlrcCNs.exe

C:\Windows\System\npiwHQJ.exe

C:\Windows\System\npiwHQJ.exe

C:\Windows\System\AwVHFPX.exe

C:\Windows\System\AwVHFPX.exe

C:\Windows\System\oClRLGC.exe

C:\Windows\System\oClRLGC.exe

C:\Windows\System\MNbcIJN.exe

C:\Windows\System\MNbcIJN.exe

C:\Windows\System\yJKWIkV.exe

C:\Windows\System\yJKWIkV.exe

C:\Windows\System\tmdCzJE.exe

C:\Windows\System\tmdCzJE.exe

C:\Windows\System\tJhAHfZ.exe

C:\Windows\System\tJhAHfZ.exe

C:\Windows\System\hahnrgn.exe

C:\Windows\System\hahnrgn.exe

C:\Windows\System\dxwneza.exe

C:\Windows\System\dxwneza.exe

C:\Windows\System\kEUivoc.exe

C:\Windows\System\kEUivoc.exe

C:\Windows\System\VcYLhtl.exe

C:\Windows\System\VcYLhtl.exe

C:\Windows\System\uMWjaLQ.exe

C:\Windows\System\uMWjaLQ.exe

C:\Windows\System\iKTzwDD.exe

C:\Windows\System\iKTzwDD.exe

C:\Windows\System\hVGPoxi.exe

C:\Windows\System\hVGPoxi.exe

C:\Windows\System\CWgBBkV.exe

C:\Windows\System\CWgBBkV.exe

C:\Windows\System\JIEOtbi.exe

C:\Windows\System\JIEOtbi.exe

C:\Windows\System\bHkFBHY.exe

C:\Windows\System\bHkFBHY.exe

C:\Windows\System\vKxvEGR.exe

C:\Windows\System\vKxvEGR.exe

C:\Windows\System\oOLyCQi.exe

C:\Windows\System\oOLyCQi.exe

C:\Windows\System\RdqWwXi.exe

C:\Windows\System\RdqWwXi.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2000-0-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2000-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\rlrcCNs.exe

MD5 c68a50e0a897cc2c63c63a9297f49583
SHA1 b7664e57a3cd3bc58950b9a56140e722ba776210
SHA256 10fe6c2a25661bf2a579ae256ae3cd70133c4af63059d77a4b1cfb249ab44eb5
SHA512 ee0c1b805bef065482bed07613be709d6d042032cfd60dbbee5d3fe63985a842010a2c912fabc10533e2b800d05b04e7f77dfccc4b06502cccc2700441340ab5

memory/2784-9-0x000000013F660000-0x000000013F9B1000-memory.dmp

\Windows\system\npiwHQJ.exe

MD5 c66fa88bcff11fafaf128d479e096c52
SHA1 0e07486d4fa0b391e43b5759ce685e2c08aeba74
SHA256 2949c59f535cf9e527b55ece1a99f1b3bbb40d9c49ae3e4afaaffa85dea54cb5
SHA512 8bc101642ff21f877f69932eb1e75850f8398e5f66d45da977df76823ef568c5cc073bf1d47777a22962f8ca421e25b88fd5101a667a8927f897a39be1779426

C:\Windows\system\AwVHFPX.exe

MD5 a574db9a770c91ce109a6bc99ee8c1f1
SHA1 05f16baecea4b66d5d5df8683d84d4e06242d63f
SHA256 0068be446b3d8cd4ac34a064876de82234e71375b8934d0ac144e184ae19cd89
SHA512 6787a9a1d79d5c573726cb4d7419a487571d8ad6976188c7535ee0de57b6c5e3490984992647c367882105ff33df224e3d8c435b60d4083ff722a81c22ba5c29

memory/2000-8-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2976-15-0x000000013FE30000-0x0000000140181000-memory.dmp

\Windows\system\oClRLGC.exe

MD5 23ad2b4936a3397e834aec6b6764ba6b
SHA1 c72f6db259a50c637fcc865e2252c88e590738c0
SHA256 53071b73eac629e8d87b5b2156178b34ab084a0e8e571f214e2c23005a3ec084
SHA512 ee1ab822c8abaabfa779e65d87adeba8e5d16bfb56d037bef30ac923143631881a65a42c27c5c9a7309cdf593102a56c6e1ca110a45fc19cc025269fc1cfaa3b

memory/2636-35-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2516-34-0x000000013FD60000-0x00000001400B1000-memory.dmp

C:\Windows\system\yJKWIkV.exe

MD5 cd44357152911c33dc86683e2c9407fd
SHA1 be704c030904eb5ace88d375a99b5febc1a8b1fd
SHA256 eb77c138b90fb7b52f6381d07fbc3204a077c1582f02e34cbc54253dd4bcdf83
SHA512 345cd9c96f80ebf72b3603ddc38a2dbcf04421d2c9cedd13338c489be716a2b5c1dfb158d1124d0d0cd1616935cdd938fecc555288dc7020566a044a7bfb2c10

C:\Windows\system\tJhAHfZ.exe

MD5 094b8cd4d8c52799029ec4873411b901
SHA1 13a20faf0fdebe61b9fd56ba3960c1f1c3f9ece3
SHA256 4aa9d8b3dc761e805657a47befbb30f65524d84f66ba92ef51b76c077aaa49ed
SHA512 24066795fc07b23f9b9f4048affc3f573c62c4fa77b2f84078341445e213e17f58d7d4db0b105246e622872820c769d41bab5448fc4c66460306597caa1dad65

memory/1904-63-0x000000013FEC0000-0x0000000140211000-memory.dmp

C:\Windows\system\kEUivoc.exe

MD5 e30c10f817d419a9e57a4ff0ccc142a8
SHA1 c163733e3200202d7935c70b35775a80b1eb126b
SHA256 b61737de690ffd57657fae2716cc552ccf0e99e5856a1d30ea2e7578455c52ad
SHA512 d36034ca8f6804f64c9b80466d49046ba94e16d25038732a239d37dc1b8ad093247b1df880e93846f51cc87b98bcd3c82d50c4f77fb667c4330313cbf02cf753

memory/1360-76-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2556-91-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

\Windows\system\iKTzwDD.exe

MD5 c08370082975b5519f98fbbe6831e055
SHA1 351342be9024a3bc66961b5c1b789245d44ae976
SHA256 8f6955c96b5d6e0037a6784786c37e63d112349a1a486601d6890a45e7de3692
SHA512 2d0581ce2294f82e87549deaf1faca66804f79933902778d43a6e9038b943e309af1d37050562dece1f45296239a430f4c844956b36cbb384f018ff27f547db1

memory/1800-98-0x000000013F090000-0x000000013F3E1000-memory.dmp

C:\Windows\system\CWgBBkV.exe

MD5 ca47a24747cf73bd8c9ee4bb01f25fdd
SHA1 ebe7d5ec45ba7dccce48521b1926a93127295909
SHA256 4602958744bfa7070701f7f56fe19cb1446c908648b2f075d194628093a2a42f
SHA512 fbb1badde4cbd1de822451520b47f470f6302c3cbb471ed1650bb2fbda928f3f3176be2a6f419350592a05bb9d61cc576471b9db6450a46ed55b56e7e5290230

C:\Windows\system\oOLyCQi.exe

MD5 5e1718309f5911c1ac88e32141d2915c
SHA1 82720551fd43be9d9582b913ae482ed7d4ae9817
SHA256 87e53b0a5b583b022faefe04de86247be4b1f6a4850a34250632d985d724da66
SHA512 241c203632d63957d94a18d608a51918e0f850593d7ab8afb44865c6f183485e21d877e74a86debe91e02d259639ef2faa232f6e995b3b47fb9c55c8a8728d87

C:\Windows\system\RdqWwXi.exe

MD5 551feb8a00c4136cb453095ebe4fd9f3
SHA1 8114dd338dd164cc79f8848a33e8d7ee55d9b7f0
SHA256 8ec7e64994e7fd1dab08ae07a1c9bb1afcae2d5d599448f406df3413acf22357
SHA512 02fb3233aa9e80ed85ba693306b4681a2be9d7a79c10770b399fc1b041561d41ea70c9424302ff06c9acaaadf3426c40a6624f4c09b798e00e156c79f7dfaf24

C:\Windows\system\vKxvEGR.exe

MD5 3f45937c2b99db5f7e11238bfc09df13
SHA1 89150d0c683cfc6350377de45fb1593e10c99bbc
SHA256 3f88f87d486b4fb229d30d93ca24db9d52e422f31e615b582dca788fb60556d1
SHA512 31de88b0f3569d358ad4e4ade340b2619ea8ebd533fe9710964f9f4f028a0cbc4887bef46290a974ac351d609d3d06123d99de48c5914ff313a8c069f2712749

C:\Windows\system\bHkFBHY.exe

MD5 a276916279ead9e659f7d387943440ac
SHA1 6a0e70b354f028d3ac7994e5dbd52efc40bdeaaf
SHA256 824ca288c0bf57dce875b1b3392a7bd91c26607bdbe61925fdf19e34ea74c18f
SHA512 73686f594e8cf41e88a528641fe40680ba3512d22c743fbc457abf5a9a09d7f62609a59008142830e007adb4a0ef95058a50038c679a1e4bed69092dec86f15e

C:\Windows\system\JIEOtbi.exe

MD5 971ff64b0fcdd29d5b37a4198201d98c
SHA1 7087499da5e17ced66c32ea9b7a228f82649f3a5
SHA256 5d88c6c9a14ee11cf101287f1994f6771348394792164b9fc5e37024bd1c46e4
SHA512 97e3454750bc877665e737673aa85399c0d6416b59ec70e0b93b9b91e77e42254403707b8c3de781e8cbcc8981927f85614c6a93d4e7a2a3da9dd3053f7ee4e1

memory/2000-104-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2596-103-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2000-102-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2516-97-0x000000013FD60000-0x00000001400B1000-memory.dmp

C:\Windows\system\hVGPoxi.exe

MD5 d1cd782d694a8d035f6df2cc6f83e10f
SHA1 15e1e2decf18769214514ece837d740cd9ea36a9
SHA256 d9eb2f38839dd6daf6bb514d640bf4b915f99ff7f57dbfff39f0fe7f41da3659
SHA512 74d31140dd103cc3ed30a06122fb2191059459d0c46c7a3fe905a159fae12b6e6bf5dfcac12f185c607b8fdd4287b10452b4705aca9567f3e8293ece0668c22c

memory/2000-90-0x00000000022D0000-0x0000000002621000-memory.dmp

C:\Windows\system\uMWjaLQ.exe

MD5 3d867a878a6d7f6a3e7531858ae2fbba
SHA1 831689fa7971dd0c6f8ea3c2b9bd7277204f7a6f
SHA256 668edf4dd18064a0a0e531ed6ecb05a687a1a66f5b9a6b881462521612e5853c
SHA512 db00799cf0d3f4f6751dc21d959ae68480f9b87f5a1c7475f733cedcfe71a8551f99e5a294ea7426e9645daf41cb635f4a79e7b6df9d9541eba84e230ad7a848

memory/2672-84-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2000-83-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2976-82-0x000000013FE30000-0x0000000140181000-memory.dmp

C:\Windows\system\VcYLhtl.exe

MD5 f52641e2abf962a63038fbc6196d7004
SHA1 6deb0b6ab7353bba11a8e01e9d8880dc70db4584
SHA256 ad25f8fe14b40bceb8da76c65e82ad6f387fc183b50a1dc18e25c52ab31d6716
SHA512 3799f9d95d017d751697ceb9890e7147792a66168d8cd7f51ebdc500c6927c35e1005c2c2c4aa48d6c36d8794dd1568fa1e0fe6ec862264b80fec6ffbff9c0b3

memory/1580-70-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2000-69-0x000000013F440000-0x000000013F791000-memory.dmp

C:\Windows\system\dxwneza.exe

MD5 2fa3c0db1449c1f6af2a19d6e3fd44e1
SHA1 ab29eb1555d3f05df9daa7763914ef8966f8d05e
SHA256 7320f55a223301ac17de3a747452ee18463c9205a0d8c17666caf6c4101df1ba
SHA512 af8cab6303685aef45f52c29aea18743bbb9476628d69f3acda272ccebd9291d4d9daf903fd4a37951d79177306e6163f9947870cd2550554d17f6dac2908c8d

memory/2000-62-0x000000013FEC0000-0x0000000140211000-memory.dmp

C:\Windows\system\hahnrgn.exe

MD5 d311ca33e1888aa854e594b22ed8a3be
SHA1 6b960aed0c17c2ba469029b9a1e464f5cba5b6f7
SHA256 fec68641ee15f35a0f2e83293f35149fb9a0dbb1b7fdbfc00b3438557fb54033
SHA512 7a3deb886bf7bc8432cb221eace016577600e2769cd84c236f3d3260b86a83aff2236f8117feaae6c9efff9c093528f49c1ce3988c38a68764d579e71bacd60c

memory/2128-56-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2000-55-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2928-49-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/2000-48-0x000000013FCE0000-0x0000000140031000-memory.dmp

C:\Windows\system\tmdCzJE.exe

MD5 7fd30628914668e17f269f1d1dbdac19
SHA1 3476aacec4b3dc721fb1f4f894963149d0f91e85
SHA256 941618d5537d132caac0d4607cef118fd39eb17789f6e8ab9ef3ed1c0f9a7436
SHA512 374b6012839bb9dc88c6635242b0b63173265295f52fbaca5782f8bad4aa08b6a57fdae3d63e1590a4583618673ff858e71a42b37fee5d027ffbe7f7a4d2daa1

memory/2596-39-0x000000013FFC0000-0x0000000140311000-memory.dmp

C:\Windows\system\MNbcIJN.exe

MD5 ef9b862b3b3b57d7cc1d2a0b5c4e31aa
SHA1 41f48e9eacc018d07c7607641cc3bbce559109bd
SHA256 a29c9e897f6aebde17a0c3aa734fef907d2b6b7152512677547f720fd5b02b90
SHA512 3688a4c5523832b92f1323eac742176d62de21086ed8b24a56cdd405195937820de52173c3d45b3fb2d762137a73d4f2bd47f971f4626da1e3452b46197f2212

memory/2000-30-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2000-29-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2584-28-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2000-14-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2000-136-0x000000013F440000-0x000000013F791000-memory.dmp

memory/1600-154-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/2000-158-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/336-156-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/1424-155-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2164-153-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/1732-152-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/1516-151-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/780-157-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2000-159-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2000-160-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2000-173-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2784-213-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2976-215-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2584-217-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2636-219-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2596-221-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2516-223-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2928-225-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/2128-227-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/1904-229-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/1580-231-0x000000013F230000-0x000000013F581000-memory.dmp

memory/1360-233-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2672-235-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2556-237-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/1800-239-0x000000013F090000-0x000000013F3E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 21:03

Reported

2024-05-22 21:05

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\JIEOtbi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\npiwHQJ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\yJKWIkV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tmdCzJE.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\tJhAHfZ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hahnrgn.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\dxwneza.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\CWgBBkV.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\RdqWwXi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oClRLGC.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\VcYLhtl.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\uMWjaLQ.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\bHkFBHY.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\rlrcCNs.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\iKTzwDD.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\hVGPoxi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\oOLyCQi.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\AwVHFPX.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\MNbcIJN.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\kEUivoc.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
File created C:\Windows\System\vKxvEGR.exe C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4172 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\rlrcCNs.exe
PID 4172 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\rlrcCNs.exe
PID 4172 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\npiwHQJ.exe
PID 4172 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\npiwHQJ.exe
PID 4172 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\AwVHFPX.exe
PID 4172 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\AwVHFPX.exe
PID 4172 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\oClRLGC.exe
PID 4172 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\oClRLGC.exe
PID 4172 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MNbcIJN.exe
PID 4172 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\MNbcIJN.exe
PID 4172 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\yJKWIkV.exe
PID 4172 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\yJKWIkV.exe
PID 4172 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\tmdCzJE.exe
PID 4172 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\tmdCzJE.exe
PID 4172 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\tJhAHfZ.exe
PID 4172 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\tJhAHfZ.exe
PID 4172 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\hahnrgn.exe
PID 4172 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\hahnrgn.exe
PID 4172 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\dxwneza.exe
PID 4172 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\dxwneza.exe
PID 4172 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\kEUivoc.exe
PID 4172 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\kEUivoc.exe
PID 4172 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\VcYLhtl.exe
PID 4172 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\VcYLhtl.exe
PID 4172 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\uMWjaLQ.exe
PID 4172 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\uMWjaLQ.exe
PID 4172 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKTzwDD.exe
PID 4172 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\iKTzwDD.exe
PID 4172 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVGPoxi.exe
PID 4172 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\hVGPoxi.exe
PID 4172 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\CWgBBkV.exe
PID 4172 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\CWgBBkV.exe
PID 4172 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\JIEOtbi.exe
PID 4172 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\JIEOtbi.exe
PID 4172 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\bHkFBHY.exe
PID 4172 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\bHkFBHY.exe
PID 4172 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\vKxvEGR.exe
PID 4172 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\vKxvEGR.exe
PID 4172 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\oOLyCQi.exe
PID 4172 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\oOLyCQi.exe
PID 4172 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\RdqWwXi.exe
PID 4172 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe C:\Windows\System\RdqWwXi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe

"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe"

C:\Windows\System\rlrcCNs.exe

C:\Windows\System\rlrcCNs.exe

C:\Windows\System\npiwHQJ.exe

C:\Windows\System\npiwHQJ.exe

C:\Windows\System\AwVHFPX.exe

C:\Windows\System\AwVHFPX.exe

C:\Windows\System\oClRLGC.exe

C:\Windows\System\oClRLGC.exe

C:\Windows\System\MNbcIJN.exe

C:\Windows\System\MNbcIJN.exe

C:\Windows\System\yJKWIkV.exe

C:\Windows\System\yJKWIkV.exe

C:\Windows\System\tmdCzJE.exe

C:\Windows\System\tmdCzJE.exe

C:\Windows\System\tJhAHfZ.exe

C:\Windows\System\tJhAHfZ.exe

C:\Windows\System\hahnrgn.exe

C:\Windows\System\hahnrgn.exe

C:\Windows\System\dxwneza.exe

C:\Windows\System\dxwneza.exe

C:\Windows\System\kEUivoc.exe

C:\Windows\System\kEUivoc.exe

C:\Windows\System\VcYLhtl.exe

C:\Windows\System\VcYLhtl.exe

C:\Windows\System\uMWjaLQ.exe

C:\Windows\System\uMWjaLQ.exe

C:\Windows\System\iKTzwDD.exe

C:\Windows\System\iKTzwDD.exe

C:\Windows\System\hVGPoxi.exe

C:\Windows\System\hVGPoxi.exe

C:\Windows\System\CWgBBkV.exe

C:\Windows\System\CWgBBkV.exe

C:\Windows\System\JIEOtbi.exe

C:\Windows\System\JIEOtbi.exe

C:\Windows\System\bHkFBHY.exe

C:\Windows\System\bHkFBHY.exe

C:\Windows\System\vKxvEGR.exe

C:\Windows\System\vKxvEGR.exe

C:\Windows\System\oOLyCQi.exe

C:\Windows\System\oOLyCQi.exe

C:\Windows\System\RdqWwXi.exe

C:\Windows\System\RdqWwXi.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4172-0-0x00007FF6FAF00000-0x00007FF6FB251000-memory.dmp

memory/4172-1-0x00000147F9460000-0x00000147F9470000-memory.dmp

C:\Windows\System\rlrcCNs.exe

MD5 c68a50e0a897cc2c63c63a9297f49583
SHA1 b7664e57a3cd3bc58950b9a56140e722ba776210
SHA256 10fe6c2a25661bf2a579ae256ae3cd70133c4af63059d77a4b1cfb249ab44eb5
SHA512 ee0c1b805bef065482bed07613be709d6d042032cfd60dbbee5d3fe63985a842010a2c912fabc10533e2b800d05b04e7f77dfccc4b06502cccc2700441340ab5

C:\Windows\System\AwVHFPX.exe

MD5 a574db9a770c91ce109a6bc99ee8c1f1
SHA1 05f16baecea4b66d5d5df8683d84d4e06242d63f
SHA256 0068be446b3d8cd4ac34a064876de82234e71375b8934d0ac144e184ae19cd89
SHA512 6787a9a1d79d5c573726cb4d7419a487571d8ad6976188c7535ee0de57b6c5e3490984992647c367882105ff33df224e3d8c435b60d4083ff722a81c22ba5c29

C:\Windows\System\npiwHQJ.exe

MD5 c66fa88bcff11fafaf128d479e096c52
SHA1 0e07486d4fa0b391e43b5759ce685e2c08aeba74
SHA256 2949c59f535cf9e527b55ece1a99f1b3bbb40d9c49ae3e4afaaffa85dea54cb5
SHA512 8bc101642ff21f877f69932eb1e75850f8398e5f66d45da977df76823ef568c5cc073bf1d47777a22962f8ca421e25b88fd5101a667a8927f897a39be1779426

memory/2464-12-0x00007FF7AEAD0000-0x00007FF7AEE21000-memory.dmp

memory/1788-15-0x00007FF7D4470000-0x00007FF7D47C1000-memory.dmp

C:\Windows\System\oClRLGC.exe

MD5 23ad2b4936a3397e834aec6b6764ba6b
SHA1 c72f6db259a50c637fcc865e2252c88e590738c0
SHA256 53071b73eac629e8d87b5b2156178b34ab084a0e8e571f214e2c23005a3ec084
SHA512 ee1ab822c8abaabfa779e65d87adeba8e5d16bfb56d037bef30ac923143631881a65a42c27c5c9a7309cdf593102a56c6e1ca110a45fc19cc025269fc1cfaa3b

memory/3872-24-0x00007FF63AB00000-0x00007FF63AE51000-memory.dmp

memory/3396-18-0x00007FF658BC0000-0x00007FF658F11000-memory.dmp

C:\Windows\System\MNbcIJN.exe

MD5 ef9b862b3b3b57d7cc1d2a0b5c4e31aa
SHA1 41f48e9eacc018d07c7607641cc3bbce559109bd
SHA256 a29c9e897f6aebde17a0c3aa734fef907d2b6b7152512677547f720fd5b02b90
SHA512 3688a4c5523832b92f1323eac742176d62de21086ed8b24a56cdd405195937820de52173c3d45b3fb2d762137a73d4f2bd47f971f4626da1e3452b46197f2212

memory/3516-30-0x00007FF673160000-0x00007FF6734B1000-memory.dmp

C:\Windows\System\yJKWIkV.exe

MD5 cd44357152911c33dc86683e2c9407fd
SHA1 be704c030904eb5ace88d375a99b5febc1a8b1fd
SHA256 eb77c138b90fb7b52f6381d07fbc3204a077c1582f02e34cbc54253dd4bcdf83
SHA512 345cd9c96f80ebf72b3603ddc38a2dbcf04421d2c9cedd13338c489be716a2b5c1dfb158d1124d0d0cd1616935cdd938fecc555288dc7020566a044a7bfb2c10

memory/2744-37-0x00007FF703A10000-0x00007FF703D61000-memory.dmp

C:\Windows\System\tmdCzJE.exe

MD5 7fd30628914668e17f269f1d1dbdac19
SHA1 3476aacec4b3dc721fb1f4f894963149d0f91e85
SHA256 941618d5537d132caac0d4607cef118fd39eb17789f6e8ab9ef3ed1c0f9a7436
SHA512 374b6012839bb9dc88c6635242b0b63173265295f52fbaca5782f8bad4aa08b6a57fdae3d63e1590a4583618673ff858e71a42b37fee5d027ffbe7f7a4d2daa1

C:\Windows\System\tJhAHfZ.exe

MD5 094b8cd4d8c52799029ec4873411b901
SHA1 13a20faf0fdebe61b9fd56ba3960c1f1c3f9ece3
SHA256 4aa9d8b3dc761e805657a47befbb30f65524d84f66ba92ef51b76c077aaa49ed
SHA512 24066795fc07b23f9b9f4048affc3f573c62c4fa77b2f84078341445e213e17f58d7d4db0b105246e622872820c769d41bab5448fc4c66460306597caa1dad65

C:\Windows\System\dxwneza.exe

MD5 2fa3c0db1449c1f6af2a19d6e3fd44e1
SHA1 ab29eb1555d3f05df9daa7763914ef8966f8d05e
SHA256 7320f55a223301ac17de3a747452ee18463c9205a0d8c17666caf6c4101df1ba
SHA512 af8cab6303685aef45f52c29aea18743bbb9476628d69f3acda272ccebd9291d4d9daf903fd4a37951d79177306e6163f9947870cd2550554d17f6dac2908c8d

memory/4864-60-0x00007FF706430000-0x00007FF706781000-memory.dmp

memory/4344-59-0x00007FF792F50000-0x00007FF7932A1000-memory.dmp

C:\Windows\System\VcYLhtl.exe

MD5 f52641e2abf962a63038fbc6196d7004
SHA1 6deb0b6ab7353bba11a8e01e9d8880dc70db4584
SHA256 ad25f8fe14b40bceb8da76c65e82ad6f387fc183b50a1dc18e25c52ab31d6716
SHA512 3799f9d95d017d751697ceb9890e7147792a66168d8cd7f51ebdc500c6927c35e1005c2c2c4aa48d6c36d8794dd1568fa1e0fe6ec862264b80fec6ffbff9c0b3

memory/2160-81-0x00007FF637840000-0x00007FF637B91000-memory.dmp

C:\Windows\System\JIEOtbi.exe

MD5 971ff64b0fcdd29d5b37a4198201d98c
SHA1 7087499da5e17ced66c32ea9b7a228f82649f3a5
SHA256 5d88c6c9a14ee11cf101287f1994f6771348394792164b9fc5e37024bd1c46e4
SHA512 97e3454750bc877665e737673aa85399c0d6416b59ec70e0b93b9b91e77e42254403707b8c3de781e8cbcc8981927f85614c6a93d4e7a2a3da9dd3053f7ee4e1

C:\Windows\System\vKxvEGR.exe

MD5 3f45937c2b99db5f7e11238bfc09df13
SHA1 89150d0c683cfc6350377de45fb1593e10c99bbc
SHA256 3f88f87d486b4fb229d30d93ca24db9d52e422f31e615b582dca788fb60556d1
SHA512 31de88b0f3569d358ad4e4ade340b2619ea8ebd533fe9710964f9f4f028a0cbc4887bef46290a974ac351d609d3d06123d99de48c5914ff313a8c069f2712749

C:\Windows\System\RdqWwXi.exe

MD5 551feb8a00c4136cb453095ebe4fd9f3
SHA1 8114dd338dd164cc79f8848a33e8d7ee55d9b7f0
SHA256 8ec7e64994e7fd1dab08ae07a1c9bb1afcae2d5d599448f406df3413acf22357
SHA512 02fb3233aa9e80ed85ba693306b4681a2be9d7a79c10770b399fc1b041561d41ea70c9424302ff06c9acaaadf3426c40a6624f4c09b798e00e156c79f7dfaf24

C:\Windows\System\oOLyCQi.exe

MD5 5e1718309f5911c1ac88e32141d2915c
SHA1 82720551fd43be9d9582b913ae482ed7d4ae9817
SHA256 87e53b0a5b583b022faefe04de86247be4b1f6a4850a34250632d985d724da66
SHA512 241c203632d63957d94a18d608a51918e0f850593d7ab8afb44865c6f183485e21d877e74a86debe91e02d259639ef2faa232f6e995b3b47fb9c55c8a8728d87

C:\Windows\System\bHkFBHY.exe

MD5 a276916279ead9e659f7d387943440ac
SHA1 6a0e70b354f028d3ac7994e5dbd52efc40bdeaaf
SHA256 824ca288c0bf57dce875b1b3392a7bd91c26607bdbe61925fdf19e34ea74c18f
SHA512 73686f594e8cf41e88a528641fe40680ba3512d22c743fbc457abf5a9a09d7f62609a59008142830e007adb4a0ef95058a50038c679a1e4bed69092dec86f15e

C:\Windows\System\CWgBBkV.exe

MD5 ca47a24747cf73bd8c9ee4bb01f25fdd
SHA1 ebe7d5ec45ba7dccce48521b1926a93127295909
SHA256 4602958744bfa7070701f7f56fe19cb1446c908648b2f075d194628093a2a42f
SHA512 fbb1badde4cbd1de822451520b47f470f6302c3cbb471ed1650bb2fbda928f3f3176be2a6f419350592a05bb9d61cc576471b9db6450a46ed55b56e7e5290230

C:\Windows\System\hVGPoxi.exe

MD5 d1cd782d694a8d035f6df2cc6f83e10f
SHA1 15e1e2decf18769214514ece837d740cd9ea36a9
SHA256 d9eb2f38839dd6daf6bb514d640bf4b915f99ff7f57dbfff39f0fe7f41da3659
SHA512 74d31140dd103cc3ed30a06122fb2191059459d0c46c7a3fe905a159fae12b6e6bf5dfcac12f185c607b8fdd4287b10452b4705aca9567f3e8293ece0668c22c

memory/3208-87-0x00007FF750BA0000-0x00007FF750EF1000-memory.dmp

C:\Windows\System\iKTzwDD.exe

MD5 c08370082975b5519f98fbbe6831e055
SHA1 351342be9024a3bc66961b5c1b789245d44ae976
SHA256 8f6955c96b5d6e0037a6784786c37e63d112349a1a486601d6890a45e7de3692
SHA512 2d0581ce2294f82e87549deaf1faca66804f79933902778d43a6e9038b943e309af1d37050562dece1f45296239a430f4c844956b36cbb384f018ff27f547db1

C:\Windows\System\uMWjaLQ.exe

MD5 3d867a878a6d7f6a3e7531858ae2fbba
SHA1 831689fa7971dd0c6f8ea3c2b9bd7277204f7a6f
SHA256 668edf4dd18064a0a0e531ed6ecb05a687a1a66f5b9a6b881462521612e5853c
SHA512 db00799cf0d3f4f6751dc21d959ae68480f9b87f5a1c7475f733cedcfe71a8551f99e5a294ea7426e9645daf41cb635f4a79e7b6df9d9541eba84e230ad7a848

memory/2464-76-0x00007FF7AEAD0000-0x00007FF7AEE21000-memory.dmp

memory/4172-75-0x00007FF6FAF00000-0x00007FF6FB251000-memory.dmp

C:\Windows\System\kEUivoc.exe

MD5 e30c10f817d419a9e57a4ff0ccc142a8
SHA1 c163733e3200202d7935c70b35775a80b1eb126b
SHA256 b61737de690ffd57657fae2716cc552ccf0e99e5856a1d30ea2e7578455c52ad
SHA512 d36034ca8f6804f64c9b80466d49046ba94e16d25038732a239d37dc1b8ad093247b1df880e93846f51cc87b98bcd3c82d50c4f77fb667c4330313cbf02cf753

C:\Windows\System\hahnrgn.exe

MD5 d311ca33e1888aa854e594b22ed8a3be
SHA1 6b960aed0c17c2ba469029b9a1e464f5cba5b6f7
SHA256 fec68641ee15f35a0f2e83293f35149fb9a0dbb1b7fdbfc00b3438557fb54033
SHA512 7a3deb886bf7bc8432cb221eace016577600e2769cd84c236f3d3260b86a83aff2236f8117feaae6c9efff9c093528f49c1ce3988c38a68764d579e71bacd60c

memory/2476-49-0x00007FF65C9B0000-0x00007FF65CD01000-memory.dmp

memory/816-44-0x00007FF6DC4C0000-0x00007FF6DC811000-memory.dmp

memory/1916-121-0x00007FF6403D0000-0x00007FF640721000-memory.dmp

memory/816-129-0x00007FF6DC4C0000-0x00007FF6DC811000-memory.dmp

memory/2476-130-0x00007FF65C9B0000-0x00007FF65CD01000-memory.dmp

memory/4608-137-0x00007FF6BF710000-0x00007FF6BFA61000-memory.dmp

memory/4864-132-0x00007FF706430000-0x00007FF706781000-memory.dmp

memory/2744-128-0x00007FF703A10000-0x00007FF703D61000-memory.dmp

memory/2740-139-0x00007FF796AD0000-0x00007FF796E21000-memory.dmp

memory/4720-143-0x00007FF7AC3E0000-0x00007FF7AC731000-memory.dmp

memory/4108-142-0x00007FF7125E0000-0x00007FF712931000-memory.dmp

memory/3204-141-0x00007FF7B0660000-0x00007FF7B09B1000-memory.dmp

memory/4480-140-0x00007FF778A20000-0x00007FF778D71000-memory.dmp

memory/2816-138-0x00007FF7D62B0000-0x00007FF7D6601000-memory.dmp

memory/2932-136-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp

memory/3516-127-0x00007FF673160000-0x00007FF6734B1000-memory.dmp

memory/3872-126-0x00007FF63AB00000-0x00007FF63AE51000-memory.dmp

memory/3396-125-0x00007FF658BC0000-0x00007FF658F11000-memory.dmp

memory/4172-122-0x00007FF6FAF00000-0x00007FF6FB251000-memory.dmp

memory/1788-124-0x00007FF7D4470000-0x00007FF7D47C1000-memory.dmp

memory/4172-144-0x00007FF6FAF00000-0x00007FF6FB251000-memory.dmp

memory/2464-193-0x00007FF7AEAD0000-0x00007FF7AEE21000-memory.dmp

memory/1788-195-0x00007FF7D4470000-0x00007FF7D47C1000-memory.dmp

memory/3396-197-0x00007FF658BC0000-0x00007FF658F11000-memory.dmp

memory/3872-199-0x00007FF63AB00000-0x00007FF63AE51000-memory.dmp

memory/2744-203-0x00007FF703A10000-0x00007FF703D61000-memory.dmp

memory/3516-204-0x00007FF673160000-0x00007FF6734B1000-memory.dmp

memory/4344-218-0x00007FF792F50000-0x00007FF7932A1000-memory.dmp

memory/816-220-0x00007FF6DC4C0000-0x00007FF6DC811000-memory.dmp

memory/2476-222-0x00007FF65C9B0000-0x00007FF65CD01000-memory.dmp

memory/4864-224-0x00007FF706430000-0x00007FF706781000-memory.dmp

memory/2160-230-0x00007FF637840000-0x00007FF637B91000-memory.dmp

memory/1916-228-0x00007FF6403D0000-0x00007FF640721000-memory.dmp

memory/3208-227-0x00007FF750BA0000-0x00007FF750EF1000-memory.dmp

memory/2740-236-0x00007FF796AD0000-0x00007FF796E21000-memory.dmp

memory/2816-238-0x00007FF7D62B0000-0x00007FF7D6601000-memory.dmp

memory/4480-240-0x00007FF778A20000-0x00007FF778D71000-memory.dmp

memory/2932-234-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp

memory/4608-233-0x00007FF6BF710000-0x00007FF6BFA61000-memory.dmp

memory/4720-242-0x00007FF7AC3E0000-0x00007FF7AC731000-memory.dmp

memory/3204-246-0x00007FF7B0660000-0x00007FF7B09B1000-memory.dmp

memory/4108-244-0x00007FF7125E0000-0x00007FF712931000-memory.dmp